UNCLASSIFIED

Targeting U.S. Technologies

Cyber Trends


Cyber Trends

Overview

DSS analysis of reports from defense industry indicates increased targeting of cleared industry unclassified computer networks. In FY06-FY07, the number of reports of Suspicious Cyber Activity (SCA) received from cleared industry significantly increased to 229 reports as compared to the 80 reports from FY04-FY05. Attempted computer intrusions and associated cyber-based activities represent an attractive, relatively low-risk option for many foreign entities seeking to further their Research and Development (R&D) programs and emulate U.S. technological advances. DSS refers identifiable computer network intrusion activity to law enforcement and operational counterintelligence agencies for further investigation.

Regions of Origin

FY06-FY07 cleared industry reporting indicates that entities in the East Asia and Pacific region were the most active collectors, accounting for 52 percent of all SCA reporting. Reporting indicates the likelihood that entities in this region are targeting the defense industrial base to further their own R&D programs as well as to improve their command, control, communications, and intelligence operations. The Europe and Eurasia region was the second most active collector, accounting for 21 percent of all SCA reporting. This percentage shows a slight increase over FY04-FY05 reporting which ranked collector entities from that region at 16 percent. Although DSS makes every attempt at attribution, for much of the SCA reporting the actual origin of the activity remains undetermined or unknown. Such reports comprised the third largest category of SCA reporting. Analyst Comments: It is likely this increase in reporting directly reflects both the Cleared Defense Contractors' (CDCs) increased cyber awareness and propensity to report, as well as traditional collectors' increased use of the cyber-based exploitation tactics. (Confidence Level: High)

Regions of Origin

The chart above identifies the targeting entities' possible region of origin and is based solely on DSS analysis of SCRs. This chart does not necessarily represent regional-sponsorship for the cyber activity.

Collector Affiliations

DSS identifies SCA collectors after evaluating reported information, conducting research, and attempting to make correlations with historical collection attempts. When at all possible, DSS uses Internet Protocol (IP) as a baseline for determination of SCA reporting. When additional information is available, DSS analysts compare technical data such as file names and specific network intrusion methodologies to determine regional origin and organizational affiliation. Although so-called cyber "hacktivists," various transnational actors and a variety of entities unique to a particular geographic region, are behind some of these attempts, the nature of cyberspace makes it extremely difficult to attribute the collection attempts to specific government or commercial affiliations. For example, foreign entities can easily mask IP addresses, utilize freely available anonymous proxies, or launch attacks from any of the open WiFi hotspots across the globe. These resources, particularly with the increased availability of open anonymous proxies and the ease with which IP can be masked, complicate the security and counterintelligence community's ability to determine positive affiliation within a region of origin. In 96 percent of the events reported in FY06-FY07, DSS could not conclusively determine positive affiliation of the entity behind the SCA.

Affiliations

Method of Operations

Cyber collectors employed "Attempted Intrusions" as the most common Method of Operation (MO). In FY06-FY07, this MO characterized 61 percent of all Suspicious Contact Reports (SCRs). Many of these attempts to gain unauthorized access to CDC networks were through socially-engineered emails with malicious payloads, or software, to exploit popular commercial software programs.

The second most prevalent MO was "Confirmed Intrusion" activity. In FY06-FY07, 24 percent of all cyber SCRs were confirmed penetrations of the CDC's unclassified network.

In FY06-FY07, the remaining 15 percent of cyber SCRs included potential pre-attack reconnaissance, "botnet" activity (a botnet is a general term to refer to a collection of compromised computers, called "zombie computers," running malicious software under a common command and control infrastructure), suspected denial-of-service attacks, and firewall logs.

Methods of Operation

Targeted Technologies

FY06-FY07 industry reporting indicated foreign entities targeted all 20 technologies on the Developing Science and Technologies List. Cyber collectors most frequently sought "Information Systems" technology, accounting for over 40 percent of all cyber-related collection attempts. "Armaments and Energetic Materials" represented the second most targeted category of technology, accounting for nine percent of all SCA reporting. East Asia and Pacific regional collector entities were the most active collectors of this technology. "Aeronautics" technology was the third most targeted category of technology, accounting for seven percent of all SCA reporting.

Targeted Technologies

Analytical Forecast

It is highly likely the amount of cyber targeting and attacks on unclassified networks will increase in the coming years. The availability of attack tools and the ease with which networks can be successfully exploited make cyber targeting an attractive MO for collectors with the technical ability to access and manipulate CDC's networks. It is likely that the number of network intrusion attempts will increase due to a growing awareness of the threat, propensity to report on the part of the CDC, as well as the development and fielding of enhanced detection methods. Furthermore, as the complexity of computer networks and the increased globalization of the defense industry increases, cyber targeting and collection will likely pose increasing challenges for defense industry to identify and counter. (Confidence Level: High)

Back to Top

UNCLASSIFIED